In their simplest form, network communications between a client and a server comprise requests from a client to a server that can be answered exclusively by that server and returned to the client. While such a system is indeed simple, it may not scale well and it may not allow the caller to interact simultaneously with multiple services, such as a file storage service, a database storage service and an electronic mail service over a single channel. To enable a client to still communicate with a single server, but yet allow the server to expand its capabilities, a tiered structure was utilized. In a tiered structure, the client could communicate its requests to a server that acted as a middle tier. That middle tier server would not itself, necessarily, comprise the relevant information needed to respond to client requests. Instead, the middle tier server could go back and reference one or more servers that were part of the back end tier of servers, to obtain the information requested by the client. Having obtained such information, the middle tier server could then respond to the client. From the perspective of the client, a single communicational endpoint, namely the middle tier, could provide access to a potentially unlimited amount of data and other informational resources.
To enable the middle tier server to respond to the client's request, it could be allowed to obtain information from the back end tier of servers on behalf of the client. From a security perspective, it can be harmful to allow the middle tier server to communicate as the client with other servers that are not in the back end tier of servers. Such an arrangement, whereby a client could provide a middle tier server with its password or long-term credentials, or other authentication information, and the middle tier server could then communicate with any servers, as the client, by providing this authentication information, was typically known as “unconstrained delegation” because the delegation of the client's role to the middle tier server was not constrained as to which server that middle tier could communicate with.
One solution to the security problems of unconstrained delegation was a delegation model typically known as “constrained delegation”, whereby a policy was put in place that limited the back end tier servers to which the middle tier server could communicate on behalf of, or as, the client. Typically, a constrained delegation model operated through a domain controller, which would reference one or more relevant policies and determine whether the middle tier server would be allowed to communicate with one or more back end tier servers on behalf of, and as, the client. For example, after a client provided a middle tier server with its authentication information, the middle tier server could request, from the domain controller, the right to act on behalf of, and as, the client to one or more servers in the back end tier. The domain controller, referencing one or more relevant policies, could determine whether or not to grant the middle tier server's request, and, if it did grant the middle tier server's request, the domain controller could provide a middle tier server with a service ticket, or other collection of information, that the middle tier server could present to one or more back end tier servers indicating that the domain controller has deemed it acceptable that the middle tier server act on behalf of, and as, the client in its communications with those back end tier servers.
Unfortunately, constrained delegation can be difficult to implement across multiple domains of networked computing devices. More specifically, back end tier servers in one domain would not necessarily trust the domain controller of another, different, domain, such as the domain that comprises the middle tier server. Instead, the domain controller of the domain that comprises the middle tier server can communicate, either directly or indirectly via the middle tier server and the back end tier servers, with the domain controller of the domain that comprises the back end tier servers and provide that second domain controller with sufficient information to enable it to determine that the middle tier server is, indeed, allowed to delegate to one or more of the back end tier servers. Such a model can be difficult to implement because it requires the cooperation of the administrators of multiple domain controllers or multiple domains. Additionally, such a model focuses the constraining of the delegation on whether the middle tier server is allowed, by the domain policy, to delegate to one or more of the back end tier servers.